Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-105057

vnc: Setting override cursor causes a crash on client disconnect

    XMLWordPrintable

Details

    • Other
    • 9b6e79abbe (qt/qtbase/dev) 9b6e79abbe (qt/tqtc-qtbase/dev) b0cadd5ed2 (qt/qtbase/6.4.0) 1f9b635044 (qt/tqtc-qtbase/5.15) d7620f1b74 (qt/qtbase/6.4) d7620f1b74 (qt/tqtc-qtbase/6.4) b0cadd5ed2 (qt/tqtc-qtbase/6.4.0) 978087f351 (qt/tqtc-qtbase/6.2)

    Description

      When multiple vnc clients are connected, the application may crash after setting override cursor and one of the clients disconnects.

      To reproduce:

      • start attached application with "-platform vnc"
      • connect with multiple vnc clients
      • click "Start autotest: set only"
      • disconnect one of the clients

      It seems that on disconnect, QVncClient objects in QVncClientCursor are not cleared up and it touches already freed memory.

      Stack trace of one of the crashes (5.15.10):

      1  isRecursive                                                             qmutex.cpp                62   0x7ffff643084f 
2  QMutex::lock                                                            qmutex.cpp                232  0x7ffff643084f 
3  std::unique_lock<QMutex>::lock                                          mutex                     485  0x7ffff661a891 
4  std::unique_lock<QMutex>::unique_lock                                   mutex                     415  0x7ffff661a891 
5  (anonymous namespace)::qt_unique_lock<QMutex, std::unique_lock<QMutex>> qlocking_p.h              106  0x7ffff661a891 
6  QCoreApplicationPrivate::lockThreadPostEventList                        qcoreapplication.cpp      1500 0x7ffff661da03 
7  QCoreApplication::postEvent                                             qcoreapplication.cpp      1546 0x7ffff661ea59 
8  QVncClient::scheduleUpdate                                              qvncclient.cpp            445  0x7fffeed456e1 
9  QVncClient::setDirtyCursor                                              qvncclient.h              72   0x7fffeed442d8 
10 QVncClientCursor::changeCursor                                          qvnc.cpp                  607  0x7fffeed442d8 
11 applyCursor                                                             qguiapplication.cpp       4065 0x7ffff6cf0292 
12 applyCursor                                                             qguiapplication.cpp       4080 0x7ffff6cf0292 
13 QGuiApplication::setOverrideCursor                                      qguiapplication.cpp       4147 0x7ffff6cf0292 
14 CursorDialog::setRandomOverrideCursor                                   cursordialog.cpp          175  0x405ba1       
15 CursorDialog::timerEvent                                                cursordialog.cpp          118  0x405a02       
16 QObject::event                                                          qobject.cpp               1324 0x7ffff665140c 
17 QWidget::event                                                          qwidget.cpp               9106 0x7ffff766f394 
18 QApplicationPrivate::notify_helper                                      qapplication.cpp          3640 0x7ffff7623ac3 
19 QApplication::notify                                                    qapplication.cpp          3590 0x7ffff762cd19 
20 QCoreApplication::notifyInternal2                                       qcoreapplication.cpp      1064 0x7ffff661ba1c 
21 QCoreApplication::sendEvent                                             qcoreapplication.cpp      1462 0x7ffff661bc60 
22 QTimerInfoList::activateTimers                                          qtimerinfo_unix.cpp       643  0x7ffff667d85a 
23 timerSourceDispatch                                                     qeventdispatcher_glib.cpp 183  0x7ffff667e08f 
24 g_main_context_dispatch                                                                                0x7ffff3e9e267 
25 ??                                                                                                     0x7ffff3e9e4c0 
26 g_main_context_iteration                                                                               0x7ffff3e9e56c 
27 QEventDispatcherGlib::processEvents                                     qeventdispatcher_glib.cpp 425  0x7ffff667e49d 
28 QPAEventDispatcherGlib::processEvents                                   qeventdispatcher_glib.cpp 120  0x7fffeed51d78 
29 QEventLoop::processEvents                                               qeventloop.cpp            142  0x7ffff66195bf 
30 QEventLoop::exec                                                        qeventloop.cpp            235  0x7ffff6619a29 
31 QCoreApplication::exec                                                  qcoreapplication.cpp      1375 0x7ffff6623fb8 
32 QGuiApplication::exec                                                   qguiapplication.cpp       1870 0x7ffff6cee98a 
33 QApplication::exec                                                      qapplication.cpp          2832 0x7ffff76239a1 
34 main                                                                    main.cpp                  12   0x4065c6

      Valgrind output (5.15.10):

      Invalid write of size 1
  in CursorDialog::setRandomOverrideCursor() in /home/user/work/overridecursor/cursordialog.cpp:175
  1: setDirtyCursor in /home/user/work/qt/git/qtbase/src/plugins/platforms/vnc/qvncclient.h:72
  2: QVncClientCursor::changeCursor(QCursor*, QWindow*) in /home/user/work/qt/git/qtbase/src/plugins/platforms/vnc/qvnc.cpp:607
  3: applyCursor in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:4065
  4: applyCursor in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:4080
  5: QGuiApplication::setOverrideCursor(QCursor const&) in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:4147
  6: CursorDialog::setRandomOverrideCursor() in /home/user/work/overridecursor/cursordialog.cpp:175
  7: CursorDialog::timerEvent(QTimerEvent*) in /home/user/work/overridecursor/cursordialog.cpp:118
  8: QObject::event(QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qobject.cpp:1324
  9: QWidget::event(QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qwidget.cpp:9106
  10: QApplicationPrivate::notify_helper(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:3640
  11: QApplication::notify(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:3590
  12: QCoreApplication::notifyInternal2(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1064
  13: QCoreApplication::sendEvent(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1462
  14: QTimerInfoList::activateTimers() in /home/user/work/qt/git/qtbase/src/corelib/kernel/qtimerinfo_unix.cpp:643
  15: timerSourceDispatch(_GSource*, int (*)(void*), void*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:183
  16: g_main_context_dispatch in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2
  17: /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2
  18: g_main_context_iteration in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2
  19: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423
  20: QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/platformsupport/eventdispatchers/qeventdispatcher_glib.cpp:120
  21: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:142
  22: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:235
  23: QCoreApplication::exec() in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1375
  24: QGuiApplication::exec() in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:1870
  25: QApplication::exec() in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:2832
  26: main in /home/user/work/overridecursor/main.cpp:12
Address 0xeb64618 is 104 bytes inside a block of size 128 free'd  1: operator delete(void*, unsigned long) in /home/user/work/valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:593
  2: QVncClient::~QVncClient() in /home/user/work/qt/git/qtbase/src/plugins/platforms/vnc/qvncclient.cpp:84
  3: qDeleteInEventHandler(QObject*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qobject.cpp:4854
  4: QObject::event(QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qobject.cpp:1334
  5: QVncClient::event(QEvent*) in /home/user/work/qt/git/qtbase/src/plugins/platforms/vnc/qvncclient.cpp:456
  6: QApplicationPrivate::notify_helper(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:3640
  7: QApplication::notify(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:2980
  8: QCoreApplication::notifyInternal2(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1064
  9: QCoreApplication::sendEvent(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1462
  10: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1821
  11: QCoreApplication::sendPostedEvents(QObject*, int) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1680
  12: postEventSourceDispatch(_GSource*, int (*)(void*), void*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:277
  13: g_main_context_dispatch in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2
  14: /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2
  15: g_main_context_iteration in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2
  16: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423
  17: QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/platformsupport/eventdispatchers/qeventdispatcher_glib.cpp:120
  18: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:142
  19: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:235
  20: QCoreApplication::exec() in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1375
  21: QGuiApplication::exec() in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:1870
  22: QApplication::exec() in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:2832
  23: main in /home/user/work/overridecursor/main.cpp:12
Block was alloc'd at  1: operator new(unsigned long) in /home/user/work/valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:342
  2: QVncServer::newConnection() in /home/user/work/qt/git/qtbase/src/plugins/platforms/vnc/qvnc.cpp:662
  3: QVncServer::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) in /home/user/work/qt/5.15/qtbase/src/plugins/platforms/vnc/.moc/moc_qvnc_p.cpp:75
  4: void doActivate<false>(QObject*, int, void**) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qobject.cpp:3937
  5: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qobject.cpp:3985
  6: QTcpServer::newConnection() in /home/user/work/qt/5.15/qtbase/src/network/.moc/moc_qtcpserver.cpp:155
  7: QTcpServerPrivate::readNotification() in /home/user/work/qt/git/qtbase/src/network/socket/qtcpserver.cpp:224
  8: QAbstractSocketEngine::readNotification() in /home/user/work/qt/git/qtbase/src/network/socket/qabstractsocketengine.cpp:160
  9: QReadNotifier::event(QEvent*) in /home/user/work/qt/git/qtbase/src/network/socket/qnativesocketengine.cpp:1274
  10: QApplicationPrivate::notify_helper(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:3640
  11: QApplication::notify(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:2980
  12: QCoreApplication::notifyInternal2(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1064
  13: QCoreApplication::sendEvent(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1462
  14: socketNotifierSourceDispatch(_GSource*, int (*)(void*), void*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:107
  15: g_main_context_dispatch in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2
  16: /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2
  17: g_main_context_iteration in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2
  18: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423
  19: QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/platformsupport/eventdispatchers/qeventdispatcher_glib.cpp:120
  20: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:142
  21: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:235
  22: QCoreApplication::exec() in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1375
  23: QGuiApplication::exec() in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:1870
  24: QApplication::exec() in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:2832
  25: main in /home/user/work/overridecursor/main.cpp:12

      Attachments

        For Gerrit Dashboard: QTBUG-105057
        # Subject Branch Project Status CR V
        429990,3 Fix crash when setting override cursor on multiple clients dev qt/qtbase Status: MERGED +2 0
        430715,1 Fix crash when setting override cursor on multiple clients 6.4 qt/qtbase Status: ABANDONED 0 0
        430723,2 Fix crash when setting override cursor on multiple clients tqtc/lts-6.2 qt/tqtc-qtbase Status: MERGED +2 0
        430724,2 Fix crash when setting override cursor on multiple clients tqtc/lts-5.15 qt/tqtc-qtbase Status: MERGED +2 0
        430776,2 Fix crash when setting override cursor on multiple clients 6.4 qt/qtbase Status: MERGED +2 0
        430777,2 Fix crash when setting override cursor on multiple clients 6.4.0 qt/qtbase Status: MERGED +2 0

        Activity

          People

            esabraha Eskil Abrahamsen Blomfeldt
            poikelin Joni Poikelin
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: