Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
dev
-
57d59a4e2 (dev), 3a5250038 (6.6), da7dd8fce (6.5)
Description
A week ago I tested an ASAN-enabled build and got this error in qtmultimedia (full log here)
==2262==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140000046a0 at pc 0x7f9ade806e83 bp 0x7ffc8e2af040 sp 0x7ffc8e2af038
READ of size 8 at 0x6140000046a0 thread T0
#0 0x7f9ade806e82 in std::atomic<QObjectPrivate::ConnectionData*>::load(std::memory_order) const (/home/qt/work/install/lib/libQt6Core.so.6+0x5e2e82)
#1 0x7f9ade802229 (/home/qt/work/install/lib/libQt6Core.so.6+0x5de229)
#2 0x7f9ade7fb391 (/home/qt/work/install/lib/libQt6Core.so.6+0x5d7391)
#3 0x7f9ade7e6d7c (/home/qt/work/install/lib/libQt6Core.so.6+0x5c2d7c)
#4 0x7f9ade7f0db1 in QObject::disconnectImpl(QObject const*, void**, QObject const*, void**, QMetaObject const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x5ccdb1)
#5 0x7f9ae25be5d2 in bool QObject::disconnect<void (QIODevice::*)()>(QtPrivate::FunctionPointer<void (QIODevice::*)()>::Object const*, void (QIODevice::*)(), QObject const*, void**) (/home/qt/work/install/lib/libQt6Multimedia.so.6+0x2b05d2)
#6 0x7f9ae25b89d5 (/home/qt/work/install/lib/libQt6Multimedia.so.6+0x2aa9d5)
#7 0x7f9ae25b3cfb (/home/qt/work/install/lib/libQt6Multimedia.so.6+0x2a5cfb)
#8 0x7f9ae25b3e5b (/home/qt/work/install/lib/libQt6Multimedia.so.6+0x2a5e5b)
#9 0x7f9ae23f465c in QAudioSink::~QAudioSink() (/home/qt/work/install/lib/libQt6Multimedia.so.6+0xe665c)
#10 0x557a50c9e018 in tst_QAudioSink::pullResumeFromUnderrun() /home/qt/work/qt/qtmultimedia/tests/auto/integration/qaudiosink/tst_qaudiosink.cpp:635
#11 0x557a50cb10b4 in tst_QAudioSink::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tests/auto/integration/qaudiosink/tst_qaudiosink_autogen/include/tst_qaudiosink.moc:211
#12 0x7f9ade6fb4f9 in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d74f9)
#13 0x7f9ade6f917e in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d517e)
#14 0x7f9ae29f92d4 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const (/home/qt/work/install/lib/libQt6Test.so.6+0xca2d4)
#15 0x7f9ae29f426d in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const (/home/qt/work/install/lib/libQt6Test.so.6+0xc526d)
#16 0x7f9ae29d2873 (/home/qt/work/install/lib/libQt6Test.so.6+0xa3873)
#17 0x7f9ae29d45d8 (/home/qt/work/install/lib/libQt6Test.so.6+0xa55d8)
#18 0x7f9ae29d737a (/home/qt/work/install/lib/libQt6Test.so.6+0xa837a)
#19 0x7f9ae29d9e2d in QTest::qRun() (/home/qt/work/install/lib/libQt6Test.so.6+0xaae2d)
#20 0x7f9ae29d8b67 in QTest::qExec(QObject*, int, char**) (/home/qt/work/install/lib/libQt6Test.so.6+0xa9b67)
#21 0x557a50cb0e6c in main /home/qt/work/qt/qtmultimedia/tests/auto/integration/qaudiosink/tst_qaudiosink.cpp:1013
#22 0x7f9add8b024c in __libc_start_main (/lib64/libc.so.6+0x3524c)
#23 0x557a50c86d59 in _start ../sysdeps/x86_64/start.S:120
0x6140000046a0 is located 96 bytes inside of 392-byte region [0x614000004640,0x6140000047c8)
freed by thread T0 here:
#0 0x7f9ae2c08e45 in operator delete(void*, unsigned long) (/usr/lib64/libasan.so.5+0x10ce45)
#1 0x7f9ade5d80c6 in QIODevicePrivate::~QIODevicePrivate() (/home/qt/work/install/lib/libQt6Core.so.6+0x3b40c6)
#2 0x7f9ade8027bc (/home/qt/work/install/lib/libQt6Core.so.6+0x5de7bc)
#3 0x7f9ade7fbf55 (/home/qt/work/install/lib/libQt6Core.so.6+0x5d7f55)
#4 0x7f9ade7d79d8 in QObject::~QObject() (/home/qt/work/install/lib/libQt6Core.so.6+0x5b39d8)
#5 0x7f9ade5d82b0 in QIODevice::~QIODevice() (/home/qt/work/install/lib/libQt6Core.so.6+0x3b42b0)
#6 0x557a50cb37fc in ~AudioPullSource /home/qt/work/qt/qtmultimedia/tests/auto/integration/qaudiosink/tst_qaudiosink.cpp:573
#7 0x557a50c9dfd2 in tst_QAudioSink::pullResumeFromUnderrun() /home/qt/work/qt/qtmultimedia/tests/auto/integration/qaudiosink/tst_qaudiosink.cpp:635
#8 0x557a50cb10b4 in tst_QAudioSink::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tests/auto/integration/qaudiosink/tst_qaudiosink_autogen/include/tst_qaudiosink.moc:211
#9 0x7f9ade6fb4f9 in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d74f9)
#10 0x7f9ade6f917e in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d517e)
#11 0x7f9ae29f92d4 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const (/home/qt/work/install/lib/libQt6Test.so.6+0xca2d4)
#12 0x7f9ae29f426d in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const (/home/qt/work/install/lib/libQt6Test.so.6+0xc526d)
#13 0x7f9ae29d2873 (/home/qt/work/install/lib/libQt6Test.so.6+0xa3873)
#14 0x7f9ae29d45d8 (/home/qt/work/install/lib/libQt6Test.so.6+0xa55d8)
#15 0x7f9ae29d737a (/home/qt/work/install/lib/libQt6Test.so.6+0xa837a)
#16 0x7f9ae29d9e2d in QTest::qRun() (/home/qt/work/install/lib/libQt6Test.so.6+0xaae2d)
#17 0x7f9ae29d8b67 in QTest::qExec(QObject*, int, char**) (/home/qt/work/install/lib/libQt6Test.so.6+0xa9b67)
#18 0x557a50cb0e6c in main /home/qt/work/qt/qtmultimedia/tests/auto/integration/qaudiosink/tst_qaudiosink.cpp:1013
#19 0x7f9add8b024c in __libc_start_main (/lib64/libc.so.6+0x3524c)
previously allocated by thread T0 here:
#0 0x7f9ae2c079bf in operator new(unsigned long) (/usr/lib64/libasan.so.5+0x10b9bf)
#1 0x7f9ade5d80e6 in QIODevice::QIODevice() (/home/qt/work/install/lib/libQt6Core.so.6+0x3b40e6)
#2 0x557a50c9ba0d in AudioPullSource /home/qt/work/qt/qtmultimedia/tests/auto/integration/qaudiosink/tst_qaudiosink.cpp:573
#3 0x557a50c9befb in tst_QAudioSink::pullResumeFromUnderrun() /home/qt/work/qt/qtmultimedia/tests/auto/integration/qaudiosink/tst_qaudiosink.cpp:602
#4 0x557a50cb10b4 in tst_QAudioSink::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tests/auto/integration/qaudiosink/tst_qaudiosink_autogen/include/tst_qaudiosink.moc:211
#5 0x7f9ade6fb4f9 in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d74f9)
#6 0x7f9ade6f917e in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d517e)
#7 0x7f9ae29f92d4 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const (/home/qt/work/install/lib/libQt6Test.so.6+0xca2d4)
#8 0x7f9ae29f426d in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const (/home/qt/work/install/lib/libQt6Test.so.6+0xc526d)
#9 0x7f9ae29d2873 (/home/qt/work/install/lib/libQt6Test.so.6+0xa3873)
#10 0x7f9ae29d45d8 (/home/qt/work/install/lib/libQt6Test.so.6+0xa55d8)
#11 0x7f9ae29d737a (/home/qt/work/install/lib/libQt6Test.so.6+0xa837a)
#12 0x7f9ae29d9e2d in QTest::qRun() (/home/qt/work/install/lib/libQt6Test.so.6+0xaae2d)
#13 0x7f9ae29d8b67 in QTest::qExec(QObject*, int, char**) (/home/qt/work/install/lib/libQt6Test.so.6+0xa9b67)
#14 0x557a50cb0e6c in main /home/qt/work/qt/qtmultimedia/tests/auto/integration/qaudiosink/tst_qaudiosink.cpp:1013
#15 0x7f9add8b024c in __libc_start_main (/lib64/libc.so.6+0x3524c)
SUMMARY: AddressSanitizer: heap-use-after-free (/home/qt/work/install/lib/libQt6Core.so.6+0x5e2e82) in std::atomic<QObjectPrivate::ConnectionData*>::load(std::memory_order) const
Shadow bytes around the buggy address:
0x0c287fff8880: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c287fff8890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fff88a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fff88b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c287fff88c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c287fff88d0: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd 0x0c287fff88e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fff88f0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c287fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2262==ABORTING sanitizer-testrunner.py INFO: Test exit code was: 1 sanitizer-testrunner.py ERROR: ASAN issues detected