Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-119137

ERROR: AddressSanitizer: heap-use-after-free in tst_qmesh::checkSourceUpdate() in qt3d

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P1: Critical
    • 6.7
    • dev
    • Qt3D
    • ff61fbf9c (dev), 618f420c7 (6.6)

    Description

      From this log:

      ********* Start testing of tst_QMesh *********
      Config: Using QtTest library 6.7.0, Qt 6.7.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by GCC 9.3.1 20200406 [revision 6db837a5288ee3ca5ec504fbd5a765817e556ac2]), opensuse-leap 15.5
      PASS   : tst_QMesh::initTestCase()
      PASS   : tst_QMesh::checkDefaultConstruction()
      PASS   : tst_QMesh::checkPropertyChanges()
      =================================================================
      

      ==2647==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000018ee8 at pc 0x7fbef0642fb7 bp 0x7ffef90932e0 sp 0x7ffef90932d8

      READ of size 8 at 0x604000018ee8 thread T0

          #0 0x7fbef0642fb6  (/home/qt/work/install/lib/libQt63DCore.so.6+0x17dfb6)
          #1 0x7fbef06414d3  (/home/qt/work/install/lib/libQt63DCore.so.6+0x17c4d3)
          #2 0x7fbef063f7b2  (/home/qt/work/install/lib/libQt63DCore.so.6+0x17a7b2)
          #3 0x7fbef063df70  (/home/qt/work/install/lib/libQt63DCore.so.6+0x178f70)
          #4 0x7fbef063e443  (/home/qt/work/install/lib/libQt63DCore.so.6+0x179443)
          #5 0x7fbef063e55d  (/home/qt/work/install/lib/libQt63DCore.so.6+0x17955d)
          #6 0x7fbef063e5b8  (/home/qt/work/install/lib/libQt63DCore.so.6+0x1795b8)
          #7 0x7fbef063ac62  (/home/qt/work/install/lib/libQt63DCore.so.6+0x175c62)
          #8 0x7fbef0637210 in Qt3DCore::QNodePrivate::notifyDestructionChangesAndRemoveFromScene() (/home/qt/work/install/lib/libQt63DCore.so.6+0x172210)
          #9 0x7fbef0639f85 in Qt3DCore::QNode::~QNode() (/home/qt/work/install/lib/libQt63DCore.so.6+0x174f85)
          #10 0x7fbef061c4fd in Qt3DCore::QComponent::~QComponent() (/home/qt/work/install/lib/libQt63DCore.so.6+0x1574fd)
          #11 0x7fbef05b1c78 in Qt3DCore::QBoundingVolume::~QBoundingVolume() (/home/qt/work/install/lib/libQt63DCore.so.6+0xecc78)
          #12 0x7fbef0e60e28 in Qt3DRender::QGeometryRenderer::~QGeometryRenderer() (/home/qt/work/install/lib/libQt63DRender.so.6+0x6cee28)
          #13 0x7fbef0e6be88 in Qt3DRender::QMesh::~QMesh() (/home/qt/work/install/lib/libQt63DRender.so.6+0x6d9e88)
          #14 0x55ccd58586be in tst_QMesh::checkSourceUpdate() (/home/qt/work/qt/qt3d_standalone_tests/tests/auto/render/qmesh/tst_qmesh+0x156be)
          #15 0x55ccd5850cf5 in tst_QMesh::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/qt/work/qt/qt3d_standalone_tests/tests/auto/render/qmesh/tst_qmesh_autogen/include/tst_qmesh.moc:177
          #16 0x7fbeec5ddc47 in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x485c47)
          #17 0x7fbeec5db8cc in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4838cc)
          #18 0x7fbef16ed5cc in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const (/home/qt/work/install/lib/libQt6Test.so.6+0xba5cc)
          #19 0x7fbef16e8599 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const (/home/qt/work/install/lib/libQt6Test.so.6+0xb5599)
          #20 0x7fbef16c69e1  (/home/qt/work/install/lib/libQt6Test.so.6+0x939e1)
          #21 0x7fbef16c8746  (/home/qt/work/install/lib/libQt6Test.so.6+0x95746)
          #22 0x7fbef16cb4e8  (/home/qt/work/install/lib/libQt6Test.so.6+0x984e8)
          #23 0x7fbef16cdf9b in QTest::qRun() (/home/qt/work/install/lib/libQt6Test.so.6+0x9af9b)
          #24 0x7fbef16cccd5 in QTest::qExec(QObject*, int, char**) (/home/qt/work/install/lib/libQt6Test.so.6+0x99cd5)
          #25 0x55ccd5850a96 in main /home/qt/work/qt/qt3d/tests/auto/render/qmesh/tst_qmesh.cpp:175
          #26 0x7fbeeb7e424c in __libc_start_main (/lib64/libc.so.6+0x3524c)
          #27 0x55ccd584e099 in _start ../sysdeps/x86_64/start.S:120
      

      0x604000018ee8 is located 24 bytes inside of 48-byte region [0x604000018ed0,0x604000018f00)

      freed by thread T0 here:

          #0 0x7fbef18fde45 in operator delete(void*, unsigned long) (/usr/lib64/libasan.so.5+0x10ce45)
          #1 0x7fbef063a8ee  (/home/qt/work/install/lib/libQt63DCore.so.6+0x1758ee)
          #2 0x7fbeec6be95f in QObjectPrivate::deleteChildren() (/home/qt/work/install/lib/libQt6Core.so.6+0x56695f)
          #3 0x7fbeec6ba4ac in QObject::~QObject() (/home/qt/work/install/lib/libQt6Core.so.6+0x5624ac)
          #4 0x7fbef055e9c0 in Qt3DCore::QAspectEngine::~QAspectEngine() (/home/qt/work/install/lib/libQt63DCore.so.6+0x999c0)
          #5 0x55ccd585869b in tst_QMesh::checkSourceUpdate() (/home/qt/work/qt/qt3d_standalone_tests/tests/auto/render/qmesh/tst_qmesh+0x1569b)
          #6 0x55ccd5850cf5 in tst_QMesh::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/qt/work/qt/qt3d_standalone_tests/tests/auto/render/qmesh/tst_qmesh_autogen/include/tst_qmesh.moc:177
          #7 0x7fbeec5ddc47 in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x485c47)
          #8 0x7fbeec5db8cc in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4838cc)
          #9 0x7fbef16ed5cc in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const (/home/qt/work/install/lib/libQt6Test.so.6+0xba5cc)
          #10 0x7fbef16e8599 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const (/home/qt/work/install/lib/libQt6Test.so.6+0xb5599)
          #11 0x7fbef16c69e1  (/home/qt/work/install/lib/libQt6Test.so.6+0x939e1)
          #12 0x7fbef16c8746  (/home/qt/work/install/lib/libQt6Test.so.6+0x95746)
          #13 0x7fbef16cb4e8  (/home/qt/work/install/lib/libQt6Test.so.6+0x984e8)
          #14 0x7fbef16cdf9b in QTest::qRun() (/home/qt/work/install/lib/libQt6Test.so.6+0x9af9b)
          #15 0x7fbef16cccd5 in QTest::qExec(QObject*, int, char**) (/home/qt/work/install/lib/libQt6Test.so.6+0x99cd5)
          #16 0x55ccd5850a96 in main /home/qt/work/qt/qt3d/tests/auto/render/qmesh/tst_qmesh.cpp:175
          #17 0x7fbeeb7e424c in __libc_start_main (/lib64/libc.so.6+0x3524c)
      

      previously allocated by thread T0 here:

          #0 0x7fbef18fc9bf in operator new(unsigned long) (/usr/lib64/libasan.so.5+0x10b9bf)
          #1 0x7fbef0650c99  (/home/qt/work/install/lib/libQt63DCore.so.6+0x18bc99)
          #2 0x7fbef064e98b in Qt3DCore::QScene::QScene(Qt3DCore::QAspectEngine*) (/home/qt/work/install/lib/libQt63DCore.so.6+0x18998b)
          #3 0x55ccd5857d4a in tst_QMesh::checkSourceUpdate() (/home/qt/work/qt/qt3d_standalone_tests/tests/auto/render/qmesh/tst_qmesh+0x14d4a)
          #4 0x55ccd5850cf5 in tst_QMesh::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/qt/work/qt/qt3d_standalone_tests/tests/auto/render/qmesh/tst_qmesh_autogen/include/tst_qmesh.moc:177
          #5 0x7fbeec5ddc47 in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x485c47)
          #6 0x7fbeec5db8cc in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4838cc)
          #7 0x7fbef16ed5cc in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const (/home/qt/work/install/lib/libQt6Test.so.6+0xba5cc)
          #8 0x7fbef16e8599 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const (/home/qt/work/install/lib/libQt6Test.so.6+0xb5599)
          #9 0x7fbef16c69e1  (/home/qt/work/install/lib/libQt6Test.so.6+0x939e1)
          #10 0x7fbef16c8746  (/home/qt/work/install/lib/libQt6Test.so.6+0x95746)
          #11 0x7fbef16cb4e8  (/home/qt/work/install/lib/libQt6Test.so.6+0x984e8)
          #12 0x7fbef16cdf9b in QTest::qRun() (/home/qt/work/install/lib/libQt6Test.so.6+0x9af9b)
          #13 0x7fbef16cccd5 in QTest::qExec(QObject*, int, char**) (/home/qt/work/install/lib/libQt6Test.so.6+0x99cd5)
          #14 0x55ccd5850a96 in main /home/qt/work/qt/qt3d/tests/auto/render/qmesh/tst_qmesh.cpp:175
          #15 0x7fbeeb7e424c in __libc_start_main (/lib64/libc.so.6+0x3524c)
      

      SUMMARY: AddressSanitizer: heap-use-after-free (/home/qt/work/install/lib/libQt63DCore.so.6+0x17dfb6)

      Shadow bytes around the buggy address:

        0x0c087fffb180: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
        0x0c087fffb190: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
        0x0c087fffb1a0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
        0x0c087fffb1b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
        0x0c087fffb1c0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 07
      =>0x0c087fffb1d0: fa fa fd fd fd fd fd fd fa fa fd fd fd[fd]fd fd
        0x0c087fffb1e0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 04
        0x0c087fffb1f0: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
        0x0c087fffb200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fffb210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fffb220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==2647==ABORTING
      

      Attachments

        Issue Links

          For Gerrit Dashboard: QTBUG-119137
          # Subject Branch Project Status CR V

          Activity

            People

              lemire_p Paul Lemire
              jimis Dimitrios Apostolou
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews