Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-117067

ERROR: AddressSanitizer: heap-use-after-free in tst_seatv4::animatedCursor()

    XMLWordPrintable

Details

    • 6cc9cdbfd (dev), f2c95767c (6.6), dc7704fd1 (6.5)

    Description

      build from one week ago. Full test log.

      ==2098==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000055678 at pc 0x7f607f5f49ea bp 0x7ffccd73d560 sp 0x7ffccd73d558

      READ of size 1 at 0x606000055678 thread T0

          #0 0x7f607f5f49e9  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x1609e9)
    #1 0x7f607f68bec7 in QtWayland::wl_callback::handle_done(void*, wl_callback*, unsigned int) (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x1f7ec7)
    #2 0x7f6079ea16dc  (/usr/lib64/libffi.so.7+0x66dc)
    #3 0x7f6079ea0bde  (/usr/lib64/libffi.so.7+0x5bde)
    #4 0x7f607cfa1e93  (/usr/lib64/libwayland-client.so.0+0x9e93)
    #5 0x7f607cf9e388  (/usr/lib64/libwayland-client.so.0+0x6388)
    #6 0x7f607cf9fa83 in wl_display_dispatch_queue_pending (/usr/lib64/libwayland-client.so.0+0x7a83)
    #7 0x7f607f595c90  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x101c90)
    #8 0x7f607f594d46  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x100d46)
    #9 0x7f607f585edd in QtWaylandClient::QWaylandDisplay::flushRequests() (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0xf1edd)
    #10 0x7f607f58fa2c  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0xfba2c)
    #11 0x7f607c0aa647  (/home/qt/work/install/lib/libQt6Core.so.6+0x5dd647)
    #12 0x7f607c0942ae in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (/home/qt/work/install/lib/libQt6Core.so.6+0x5c72ae)
    #13 0x7f607bf45b58 in QAbstractEventDispatcher::awake() (/home/qt/work/install/lib/libQt6Core.so.6+0x478b58)
    #14 0x7f607c9002fd in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/home/qt/work/install/lib/libQt6Core.so.6+0xe332fd)
    #15 0x7f607e52b04a in QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/home/qt/work/install/lib/libQt6Gui.so.6+0x152404a)
    #16 0x7f607bf5962d in QCoreApplication::processEvents(QFlags<QEventLoop::ProcessEventsFlag>, QDeadlineTimer) (/home/qt/work/install/lib/libQt6Core.so.6+0x48c62d)
    #17 0x7f607c0ed765 in QTest::qWait(std::chrono::duration<long, std::ratio<1l, 1000l> >) (/home/qt/work/install/lib/libQt6Core.so.6+0x620765)
    #18 0x7f607c0ed571 in QTest::qWait(int) (/home/qt/work/install/lib/libQt6Core.so.6+0x620571)
    #19 0x55dd029e5d5b in tst_seatv4::animatedCursor() /home/qt/work/qt/qtwayland/tests/auto/client/seatv4/tst_seatv4.cpp:578
    #20 0x55dd029e6c1a in tst_seatv4::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tests/auto/client/seatv4/tst_seatv4_autogen/include/tst_seatv4.moc:196
    #21 0x7f607bfa44f9 in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d74f9)
    #22 0x7f607bfa217e in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d517e)
    #23 0x7f607fd812d4 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const (/home/qt/work/install/lib/libQt6Test.so.6+0xca2d4)
    #24 0x7f607fd7c26d in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const (/home/qt/work/install/lib/libQt6Test.so.6+0xc526d)
    #25 0x7f607fd5a873  (/home/qt/work/install/lib/libQt6Test.so.6+0xa3873)
    #26 0x7f607fd5c5d8  (/home/qt/work/install/lib/libQt6Test.so.6+0xa55d8)
    #27 0x7f607fd5f37a  (/home/qt/work/install/lib/libQt6Test.so.6+0xa837a)
    #28 0x7f607fd61e2d in QTest::qRun() (/home/qt/work/install/lib/libQt6Test.so.6+0xaae2d)
    #29 0x7f607fd60b67 in QTest::qExec(QObject*, int, char**) (/home/qt/work/install/lib/libQt6Test.so.6+0xa9b67)
    #30 0x55dd029e6907 in main /home/qt/work/qt/qtwayland/tests/auto/client/seatv4/tst_seatv4.cpp:583
    #31 0x7f607b15924c in __libc_start_main (/lib64/libc.so.6+0x3524c)
    #32 0x55dd02706c39 in _start ../sysdeps/x86_64/start.S:120

      0x606000055678 is located 56 bytes inside of 64-byte region [0x606000055640,0x606000055680)

      freed by thread T0 here:

          #0 0x7f607ff90e45 in operator delete(void*, unsigned long) (/usr/lib64/libasan.so.5+0x10ce45)
    #1 0x7f607f5f4954  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x160954)
    #2 0x7f607f5fdea9  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x169ea9)
    #3 0x7f607f5f9f87  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x165f87)
    #4 0x7f607f5f543c  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x16143c)
    #5 0x7f607f5e0525 in QtWaylandClient::QWaylandInputDevice::Pointer::updateCursor() (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x14c525)
    #6 0x7f607f5e0a0a in QtWaylandClient::QWaylandInputDevice::Pointer::cursorFrameCallback() (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x14ca0a)
    #7 0x7f607f5f4f7b  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x160f7b)
    #8 0x7f607f5fe08e  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x16a08e)
    #9 0x7f607f5f9c53 in std::function<void (unsigned int)>::operator()(unsigned int) const (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x165c53)
    #10 0x7f607f5f49b6  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x1609b6)
    #11 0x7f607f68bec7 in QtWayland::wl_callback::handle_done(void*, wl_callback*, unsigned int) (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x1f7ec7)
    #12 0x7f6079ea16dc  (/usr/lib64/libffi.so.7+0x66dc)

      previously allocated by thread T0 here:

          #0 0x7f607ff8f9bf in operator new(unsigned long) (/usr/lib64/libasan.so.5+0x10b9bf)
    #1 0x7f607f5f5492  (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x161492)
    #2 0x7f607f5e0525 in QtWaylandClient::QWaylandInputDevice::Pointer::updateCursor() (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x14c525)
    #3 0x7f607f5e4088 in QtWaylandClient::QWaylandInputDevice::Pointer::pointer_enter(unsigned int, wl_surface*, int, int) (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x150088)
    #4 0x7f607f691951 in QtWayland::wl_pointer::handle_enter(void*, wl_pointer*, unsigned int, wl_surface*, int, int) (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x1fd951)
    #5 0x7f6079ea16dc  (/usr/lib64/libffi.so.7+0x66dc)

      SUMMARY: AddressSanitizer: heap-use-after-free (/home/qt/work/install/lib/libQt6WaylandClient.so.6+0x1609e9)

      Shadow bytes around the buggy address:

        0x0c0c80002a70: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c80002a80: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c80002a90: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80002aa0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c80002ab0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
=>0x0c0c80002ac0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd[fd]
  0x0c0c80002ad0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c80002ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80002af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80002b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80002b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2098==ABORTING
sanitizer-testrunner.py     INFO: Test exit code was: 1
sanitizer-testrunner.py    ERROR: ASAN issues detected

      Attachments

        For Gerrit Dashboard: QTBUG-117067
        # Subject Branch Project Status CR V
        504672,2 Fix use-after-free with animated cursors dev qt/qtwayland Status: MERGED +2 0
        505142,2 Fix use-after-free with animated cursors 6.6 qt/qtwayland Status: MERGED +2 0
        505381,2 Fix use-after-free with animated cursors 6.5 qt/qtwayland Status: MERGED +2 0

        Activity

          People

            qt.team.graphics.and.multimedia Qt Graphics Team
            jimis Dimitrios Apostolou
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes