Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-111880

Use-after-free race condition in QSemaphore

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • P1: Critical
    • None
    • 6.4.2
    • GUI: Painting
    • None
    • macOS 10.14
    • macOS

    Description

      Related to, but distinct from, QTBUG-102484, since macOS does not use futex.

      I guess the order of operations here is:

      1. Thread T7 calls QSemaphore::release, which takes a scoped lock on the mutex and calls d->cond.notify_all()
      2. Thread T0 receives the notification, QSemaphore::acquire stops blocking, QSemaphore goes out of scope and its destructor deletes d
      3. Thread T7 locker goes out of scope, its destructor tries to use d->mutex, but this has already been deleted by T0

      I guess that QSemaphore::release needs to put const auto locker = qt_scoped_lock(d->mutex); d->avail += n; in a separate block so that lock is destroyed before sending the notification and will not race the main thread to destruction, though I am not sure that this wouldn’t just move the race onto d->cond instead if the QSemaphore is waiting for fewer resources than will be released by threads?

      =================================================================
      ==79936==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000abd180 at pc 0x00010fd4f490 bp 0x7000028f8e90 sp 0x7000028f8e88
      WRITE of size 8 at 0x603000abd180 thread T7
      #0 0x10fd4f48f in std::{}1::{}atomic_base<QMutexPrivate*, false>::compare_exchange_strong(QMutexPrivate*&, QMutexPrivate*, std::{}1::memory_order, std::{_}_1::memory_order) + 1967 at atomic:956:17
      #1 0x10fd5018c in bool QAtomicOps<QMutexPrivate*>::testAndSetRelease<QMutexPrivate*>(std::__1::atomic<QMutexPrivate*>&, QMutexPrivate*, QMutexPrivate*, QMutexPrivate**) + 332 at qatomic_cxx11.h:293:29
      #2 0x10fd50028 in QBasicAtomicPointer<QMutexPrivate>::testAndSetRelease(QMutexPrivate*, QMutexPrivate*) + 40 at qbasicatomic.h:208:14
      #3 0x1109c3887 in QBasicMutex::unlockInternal() + 215 at qmutex.cpp:790:19
      #4 0x10fd4fbde in QBasicMutex::unlock() + 110 at qmutex.h:83:13
      #5 0x1109d3384 in QtPrivate::mutex::unlock() + 20 at qwaitcondition_p.h:51:36
      #6 0x1109dd057 in std::__1::lock_guard<QtPrivate::mutex>::~lock_guard() + 71 at __mutex_base:109:80
      #7 0x1109da5a4 in std::__1::lock_guard<QtPrivate::mutex>::~lock_guard() + 20 at __mutex_base:109:74
      #8 0x1109da466 in QSemaphore::release(int) + 630 at qsemaphore.cpp:379:1
      #9 0x10d8be8ed in void handleSpans<BlendSrcGeneric>(int, QT_FT_Span_ const*, QSpanData const*, Operator const&)::'lambda'()::operator()() const (libQt6Gui_debug.6.dylib:x86_64+0x1bb58ed) at qdrawhelper.cpp:4015:5
      #10 0x10d8be72c in decltype(std::{}1::forward<void handleSpans<BlendSrcGeneric>(int, QT_FT_Span{} const*, QSpanData const*, Operator const&)::'lambda'()&>(fp)()) std::1::invoke<void handleSpans<BlendSrcGeneric>(int, QT_FT_Span const*, QSpanData const*, Operator const&)::'lambda'()&>(void handleSpans<BlendSrcGeneric>(int, QT_FT_Span_ const*, QSpanData const*, Operator const&)::'lambda'()&&&) (libQt6Gui_debug.6.dylib:x86_64+0x1bb572c)
      #11 0x10d8be6dc in void std::{}1::{}invoke_void_return_wrapper<void>::{}call<void handleSpans<BlendSrcGeneric>(int, QT_FT_Span{} const*, QSpanData const*, Operator const&)::'lambda'()&>(void handleSpans<BlendSrcGeneric>(int, QT_FT_Span const*, QSpanData const*, Operator const&)::'lambda'()&&&) (libQt6Gui_debug.6.dylib:x86_64+0x1bb56dc)
      #12 0x10d8be6ac in std::{}1::{}function::{}alloc_func<void handleSpans<BlendSrcGeneric>(int, QT_FT_Span{} const*, QSpanData const*, Operator const&)::'lambda'(), std::1::allocator<void handleSpans<BlendSrcGeneric>(int, QT_FT_Span const*, QSpanData const*, Operator const&)::'lambda'()>, void ()>::operator()() (libQt6Gui_debug.6.dylib:x86_64+0x1bb56ac)
      #13 0x10d8baf08 in std::{}1::{}function::{}func<void handleSpans<BlendSrcGeneric>(int, QT_FT_Span{} const*, QSpanData const*, Operator const&)::'lambda'(), std::1::allocator<void handleSpans<BlendSrcGeneric>(int, QT_FT_Span const*, QSpanData const*, Operator const&)::'lambda'()>, void ()>::operator()() (libQt6Gui_debug.6.dylib:x86_64+0x1bb1f08)
      #14 0x110690a2d in std::{}1::{}function::{_}_value_func<void ()>::operator()() const (libQt6Core_debug.6.dylib:x86_64+0x971a2d)
      #15 0x110690914 in std::__1::function<void ()>::operator()() const (libQt6Core_debug.6.dylib:x86_64+0x971914)
      #16 0x1106908a8 in FunctionRunnable::run() (libQt6Core_debug.6.dylib:x86_64+0x9718a8)
      #17 0x1109de3d0 in QThreadPoolThread::run() (libQt6Core_debug.6.dylib:x86_64+0xcbf3d0)
      #18 0x1109c0c9d in QThreadPrivate::start(void*)::$_0::operator()() const (libQt6Core_debug.6.dylib:x86_64+0xca1c9d)
      #19 0x1109b9edc in void (anonymous namespace)::terminate_on_exception<QThreadPrivate::start(void*)::$_0>(QThreadPrivate::start(void*)::$_0&&) (libQt6Core_debug.6.dylib:x86_64+0xc9aedc)
      #20 0x1109b9b4a in QThreadPrivate::start(void*) (libQt6Core_debug.6.dylib:x86_64+0xc9ab4a)
      #21 0x7fff75f362ea in _pthread_body (libsystem_pthread.dylib:x86_64+0x32ea)
      #22 0x7fff75f39248 in _pthread_start (libsystem_pthread.dylib:x86_64+0x6248)
      #23 0x7fff75f3540c in thread_start (libsystem_pthread.dylib:x86_64+0x240c)0x603000abd180 is located 0 bytes inside of 24-byte region [0x603000abd180,0x603000abd198)
      freed by thread T0 here:
      #0 0x111cbdb02 in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6eb02)
      #1 0x1109d9992 in QSemaphore::~QSemaphore() + 98 at qsemaphore.cpp:281:9
      #2 0x1109d99d4 in QSemaphore::~QSemaphore() + 20 at qsemaphore.cpp:279:1
      #3 0x10d8b8bd9 in void handleSpans<BlendSrcGeneric>(int, QT_FT_Span_ const*, QSpanData const*, Operator const&) + 2121 at qdrawhelper.cpp:4015:5
      #4 0x10d7c32bc in blend_src_generic(int, QT_FT_Span_ const*, void*) (libQt6Gui_debug.6.dylib:x86_64+0x1aba2bc)
      #5 0x10d7c20ab in qBlendTexture(int, QT_FT_Span_ const*, void*) (libQt6Gui_debug.6.dylib:x86_64+0x1ab90ab)
      #6 0x10c66b071 in qt_span_fill_clipped(int, QT_FT_Span_ const*, void*) (libQt6Gui_debug.6.dylib:x86_64+0x962071)
      #7 0x10c8d431f in QSpanBuffer::flushSpans() (libQt6Gui_debug.6.dylib:x86_64+0xbcb31f)
      #8 0x10c8b9323 in QSpanBuffer::addSpan(int, int, int, int) (libQt6Gui_debug.6.dylib:x86_64+0xbb0323)
      #9 0x10c8ca4ef in QRasterizer::rasterizeLine(QPointF const&, QPointF const&, double, bool) (libQt6Gui_debug.6.dylib:x86_64+0xbc14ef)
      #10 0x10c654287 in QRasterPaintEngine::drawImage(QRectF const&, QImage const&, QRectF const&, QFlags<Qt::ImageConversionFlag>) (libQt6Gui_debug.6.dylib:x86_64+0x94b287)
      #11 0x10c6eb266 in QPainter::drawImage(QRectF const&, QImage const&, QRectF const&, QFlags<Qt::ImageConversionFlag>) (libQt6Gui_debug.6.dylib:x86_64+0x9e2266)
      #12 0x107de56a9 in color_widgets::ColorWheel::paintEvent(QPaintEvent*) qpainter.h:791
      #13 0x1093857f9 in QWidget::event(QEvent*) (libQt6Widgets_debug.6.dylib:x86_64+0x2757f9)
      #14 0x109133c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) (libQt6Widgets_debug.6.dylib:x86_64+0x23c8c)
      #15 0x109141edf in QApplication::notify(QObject*, QEvent*) (libQt6Widgets_debug.6.dylib:x86_64+0x31edf)
      #16 0x10ffe5bdd in QCoreApplication::notifyInternal2(QObject*, QEvent*) (libQt6Core_debug.6.dylib:x86_64+0x2c6bdd)
      #17 0x10ffe8adc in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (libQt6Core_debug.6.dylib:x86_64+0x2c9adc)
      #18 0x10936045d in QWidgetPrivate::sendPaintEvent(QRegion const&) (libQt6Widgets_debug.6.dylib:x86_64+0x25045d)
      #19 0x109335633 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x225633)
      #20 0x109361f91 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251f91)
      #21 0x1093361d6 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x2261d6)
      #22 0x109361f91 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251f91)
      #23 0x1093361d6 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x2261d6)
      #24 0x109361f91 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251f91)
      #25 0x109361984 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251984)
      #26 0x109361984 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251984)
      #27 0x109361984 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251984)
      #28 0x109361984 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251984)
      #29 0x109361984 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251984)previously allocated by thread T0 here:
      #0 0x111cbd502 in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6e502)
      #1 0x1109d9853 in QSemaphore::QSemaphore(int) + 83 at qsemaphore.cpp:268:13
      #2 0x1109d991a in QSemaphore::QSemaphore(int) + 26 at qsemaphore.cpp:260:1
      #3 0x10d8b8997 in void handleSpans<BlendSrcGeneric>(int, QT_FT_Span_ const*, QSpanData const*, Operator const&) + 1543 at qdrawhelper.cpp:4015:5
      #4 0x10d7c32bc in blend_src_generic(int, QT_FT_Span_ const*, void*) (libQt6Gui_debug.6.dylib:x86_64+0x1aba2bc)
      #5 0x10d7c20ab in qBlendTexture(int, QT_FT_Span_ const*, void*) (libQt6Gui_debug.6.dylib:x86_64+0x1ab90ab)
      #6 0x10c66b071 in qt_span_fill_clipped(int, QT_FT_Span_ const*, void*) (libQt6Gui_debug.6.dylib:x86_64+0x962071)
      #7 0x10c8d431f in QSpanBuffer::flushSpans() (libQt6Gui_debug.6.dylib:x86_64+0xbcb31f)
      #8 0x10c8b9323 in QSpanBuffer::addSpan(int, int, int, int) (libQt6Gui_debug.6.dylib:x86_64+0xbb0323)
      #9 0x10c8ca4ef in QRasterizer::rasterizeLine(QPointF const&, QPointF const&, double, bool) (libQt6Gui_debug.6.dylib:x86_64+0xbc14ef)
      #10 0x10c654287 in QRasterPaintEngine::drawImage(QRectF const&, QImage const&, QRectF const&, QFlags<Qt::ImageConversionFlag>) (libQt6Gui_debug.6.dylib:x86_64+0x94b287)
      #11 0x10c6eb266 in QPainter::drawImage(QRectF const&, QImage const&, QRectF const&, QFlags<Qt::ImageConversionFlag>) (libQt6Gui_debug.6.dylib:x86_64+0x9e2266)
      #12 0x107de56a9 in color_widgets::ColorWheel::paintEvent(QPaintEvent*) qpainter.h:791
      #13 0x1093857f9 in QWidget::event(QEvent*) (libQt6Widgets_debug.6.dylib:x86_64+0x2757f9)
      #14 0x109133c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) (libQt6Widgets_debug.6.dylib:x86_64+0x23c8c)
      #15 0x109141edf in QApplication::notify(QObject*, QEvent*) (libQt6Widgets_debug.6.dylib:x86_64+0x31edf)
      #16 0x10ffe5bdd in QCoreApplication::notifyInternal2(QObject*, QEvent*) (libQt6Core_debug.6.dylib:x86_64+0x2c6bdd)
      #17 0x10ffe8adc in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (libQt6Core_debug.6.dylib:x86_64+0x2c9adc)
      #18 0x10936045d in QWidgetPrivate::sendPaintEvent(QRegion const&) (libQt6Widgets_debug.6.dylib:x86_64+0x25045d)
      #19 0x109335633 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x225633)
      #20 0x109361f91 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251f91)
      #21 0x1093361d6 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x2261d6)
      #22 0x109361f91 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251f91)
      #23 0x1093361d6 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x2261d6)
      #24 0x109361f91 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251f91)
      #25 0x109361984 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251984)
      #26 0x109361984 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251984)
      #27 0x109361984 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251984)
      #28 0x109361984 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251984)
      #29 0x109361984 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (libQt6Widgets_debug.6.dylib:x86_64+0x251984)Thread T7 created by T0 here:
      #0 0x111ca878d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5978d)
      #1 0x1109bbcda in QThread::start(QThread::Priority) + 3978 at qthread_unix.cpp:707:16
      #2 0x1109e0b24 in QThreadPoolPrivate::startThread(QRunnable*) + 1476 at qthreadpool.cpp:253:23
      #3 0x1109e04b0 in QThreadPoolPrivate::tryStart(QRunnable*) + 1216 at qthreadpool.cpp:179:5
      #4 0x1109e6fa4 in QThreadPool::start(QRunnable*, int) + 356 at qthreadpool.cpp:500:13
      #5 0x1109e7231 in QThreadPool::start(std::__1::function<void ()>, int) + 337 at qthreadpool.cpp:517:5
      #6 0x10d8b8b89 in void handleSpans<BlendSrcGeneric>(int, QT_FT_Span_ const*, QSpanData const*, Operator const&) + 2041 at qdrawhelper.cpp:4015:5
      #7 0x10d7c32bc in blend_src_generic(int, QT_FT_Span_ const*, void*) (libQt6Gui_debug.6.dylib:x86_64+0x1aba2bc)
      #8 0x10d7c27fe in qBlendGradient(int, QT_FT_Span_ const*, void*) (libQt6Gui_debug.6.dylib:x86_64+0x1ab97fe)
      #9 0x10c552f10 in gray_hline (libQt6Gui_debug.6.dylib:x86_64+0x849f10)
      #10 0x10c549300 in gray_sweep (libQt6Gui_debug.6.dylib:x86_64+0x840300)
      #11 0x10c54747a in gray_convert_glyph (libQt6Gui_debug.6.dylib:x86_64+0x83e47a)
      #12 0x10c5446ca in gray_raster_render (libQt6Gui_debug.6.dylib:x86_64+0x83b6ca)
      #13 0x10c6331b7 in QRasterPaintEnginePrivate::rasterize(QT_FT_Outline_, void (int, QT_FT_Span_ const, void*), void*, QRasterBuffer*) (libQt6Gui_debug.6.dylib:x86_64+0x92a1b7)
      #14 0x10c6376c6 in QRasterPaintEnginePrivate::rasterize(QT_FT_Outline_, void (int, QT_FT_Span_ const, void*), QSpanData*, QRasterBuffer*) (libQt6Gui_debug.6.dylib:x86_64+0x92e6c6)
      #15 0x10c640142 in QRasterPaintEngine::fill(QVectorPath const&, QBrush const&) (libQt6Gui_debug.6.dylib:x86_64+0x937142)
      #16 0x10c6a9eef in QPaintEngineEx::draw(QVectorPath const&) (libQt6Gui_debug.6.dylib:x86_64+0x9a0eef)
      #17 0x10c6afbd7 in QPaintEngineEx::drawEllipse(QRectF const&) (libQt6Gui_debug.6.dylib:x86_64+0x9a6bd7)
      #18 0x10c667b97 in QRasterPaintEngine::drawEllipse(QRectF const&) (libQt6Gui_debug.6.dylib:x86_64+0x95eb97)
      #19 0x10c6dff5c in QPainter::drawEllipse(QRectF const&) (libQt6Gui_debug.6.dylib:x86_64+0x9d6f5c)
      #20 0x107de69ea in color_widgets::ColorWheel::Private::render_ring() qpainter.h:590
      #21 0x107de9681 in color_widgets::ColorWheel::resizeEvent(QResizeEvent*) color_wheel.cpp:234
      #22 0x109385958 in QWidget::event(QEvent*) (libQt6Widgets_debug.6.dylib:x86_64+0x275958)
      #23 0x109133c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) (libQt6Widgets_debug.6.dylib:x86_64+0x23c8c)
      #24 0x109141edf in QApplication::notify(QObject*, QEvent*) (libQt6Widgets_debug.6.dylib:x86_64+0x31edf)
      #25 0x10ffe5bdd in QCoreApplication::notifyInternal2(QObject*, QEvent*) (libQt6Core_debug.6.dylib:x86_64+0x2c6bdd)
      #26 0x10ffe89ec in QCoreApplication::sendEvent(QObject*, QEvent*) (libQt6Core_debug.6.dylib:x86_64+0x2c99ec)
      #27 0x10935e256 in QWidgetPrivate::sendPendingMoveAndResizeEvents(bool, bool) (libQt6Widgets_debug.6.dylib:x86_64+0x24e256)
      #28 0x10937f1c9 in QWidgetPrivate::show_helper() (libQt6Widgets_debug.6.dylib:x86_64+0x26f1c9)
      #29 0x109381a94 in QWidgetPrivate::setVisible(bool) (libQt6Widgets_debug.6.dylib:x86_64+0x271a94)
      #30 0x1093810be in QWidget::setVisible(bool) (libQt6Widgets_debug.6.dylib:x86_64+0x2710be)
      #31 0x10937ed5c in QWidget::show() (libQt6Widgets_debug.6.dylib:x86_64+0x26ed5c)
      #32 0x10937fa1a in QWidgetPrivate::showChildren(bool) (libQt6Widgets_debug.6.dylib:x86_64+0x26fa1a)
      #33 0x10937f1ea in QWidgetPrivate::show_helper() (libQt6Widgets_debug.6.dylib:x86_64+0x26f1ea)
      #34 0x10937f000 in QWidgetPrivate::show_recursive() (libQt6Widgets_debug.6.dylib:x86_64+0x26f000)
      #35 0x10937fa09 in QWidgetPrivate::showChildren(bool) (libQt6Widgets_debug.6.dylib:x86_64+0x26fa09)
      #36 0x10937f1ea in QWidgetPrivate::show_helper() (libQt6Widgets_debug.6.dylib:x86_64+0x26f1ea)
      #37 0x10937f000 in QWidgetPrivate::show_recursive() (libQt6Widgets_debug.6.dylib:x86_64+0x26f000)
      #38 0x10937fa09 in QWidgetPrivate::showChildren(bool) (libQt6Widgets_debug.6.dylib:x86_64+0x26fa09)
      #39 0x10937f1ea in QWidgetPrivate::show_helper() (libQt6Widgets_debug.6.dylib:x86_64+0x26f1ea)
      #40 0x109381a94 in QWidgetPrivate::setVisible(bool) (libQt6Widgets_debug.6.dylib:x86_64+0x271a94)
      #41 0x1093810be in QWidget::setVisible(bool) (libQt6Widgets_debug.6.dylib:x86_64+0x2710be)
      #42 0x10937ed5c in QWidget::show() (libQt6Widgets_debug.6.dylib:x86_64+0x26ed5c)
      #43 0x107a7bca7 in MainWindow::MainWindow(bool) mainwindow.cpp:447
      #44 0x107aae8f8 in MainWindow::MainWindow(bool) mainwindow.cpp:161
      #45 0x107a68524 in Application::openBlankDocument() main.cpp:216
      #46 0x107a6d913 in main main.cpp:418
      #47 0x7fff75d423d4 in start (libdyld.dylib:x86_64+0x163d4)SUMMARY: AddressSanitizer: heap-use-after-free (atomic:956:17) in std::{}1::{}atomic_base<QMutexPrivate*, false>::compare_exchange_strong(QMutexPrivate*&, QMutexPrivate*, std::{}1::memory_order, std::{_}_1::memory_order)
      Shadow bytes around the buggy address:
      0x1c06001579e0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
      0x1c06001579f0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      0x1c0600157a00: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
      0x1c0600157a10: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa fd fd
      0x1c0600157a20: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      =>0x1c0600157a30:[fd]fd fd fa fa fa 00 00 00 00 fa fa fd fd fd fa
      0x1c0600157a40: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
      0x1c0600157a50: fd fa fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
      0x1c0600157a60: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
      0x1c0600157a70: fa fa 00 00 00 00 fa fa fd fd fd fa fa fa fd fd
      0x1c0600157a80: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable: 00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone: fa
      Freed heap region: fd
      Stack left redzone: f1
      Stack mid redzone: f2
      Stack right redzone: f3
      Stack after return: f5
      Stack use after scope: f8
      Global redzone: f9
      Global init order: f6
      Poisoned by user: f7
      Container overflow: fc
      Array cookie: ac
      Intra object redzone: bb
      ASan internal: fe
      Left alloca redzone: ca
      Right alloca redzone: cb
      Shadow gap: cc
      ==79936==ABORTING
       

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            allan.jensen Allan Sandfeld Jensen
            csnover C S
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes