Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
dev
-
11333a097 (dev), 7f6b62f3f (6.7), f8c5af9ef (6.6)
-
Foundations Sprint 98
Description
==20005==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000003550 at pc 0x7f05000c7d04 bp 0x7ffd321e3c50 sp 0x7ffd321e3c48
READ of size 8 at 0x602000003550 thread T0
#0 0x7f05000c7d03 in queued_activate /home/qt/work/qt/qtbase/src/corelib/kernel/qobject.cpp:3880
#1 0x7f05000de838 in void doActivate<false>(QObject*, int, void**) /home/qt/work/qt/qtbase/src/corelib/kernel/qobject.cpp:4021
#2 0x7f05000c87da in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) /home/qt/work/qt/qtbase/src/corelib/kernel/qobject.cpp:4121
#3 0x7f05005c30f2 in QObjectContinuationWrapper::run() /home/qt/work/qt/qtbase_build/src/corelib/Core_autogen/include/qfutureinterface.moc:137
#4 0x7f05005b8a8e in operator() /home/qt/work/qt/qtbase/src/corelib/thread/qfutureinterface.cpp:100
#5 0x7f05005c3706 in _M_invoke /usr/include/c++/9/bits/std_function.h:300
#6 0x7f05005c59fc in std::function<void (QFutureInterfaceBase const&)>::operator()(QFutureInterfaceBase const&) const /usr/include/c++/9/bits/std_function.h:688
#7 0x7f05005c275d in QFutureInterfaceBase::runContinuation() const /home/qt/work/qt/qtbase/src/corelib/thread/qfutureinterface.cpp:931
#8 0x5566a307638b in QFutureInterface<int>::reportFinished() /home/qt/work/install/include/QtCore/qfutureinterface.h:258
#9 0x5566a3076255 in QPromise<int>::finish() /home/qt/work/install/include/QtCore/qpromise.h:75
#10 0x5566a2e99468 in tst_QFuture::continuationsWithContext() /home/qt/work/qt/qtbase/tests/auto/corelib/thread/qfuture/tst_qfuture.cpp:3334
#11 0x5566a2ed066a in tst_QFuture::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/qt/work/qt/qtbase_standalone_tests/tests/auto/corelib/thread/qfuture/tst_qfuture_autogen/include/tst_qfuture.moc:1005
#12 0x7f04fffd861f in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.cpp:2756
#13 0x7f04fffd62a4 in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.cpp:2595
#14 0x7f0501119ea0 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.h:148
#15 0x7f0501114e6d in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.h:160
#16 0x7f05010f2799 in QTest::TestMethods::invokeTestOnData(int) const /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:1166
#17 0x7f05010f4557 in QTest::TestMethods::invokeTest(int, QLatin1String, QTest::WatchDog*) const /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:1469
#18 0x7f05010f7580 in QTest::TestMethods::invokeTests(QObject*) const /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:1808
#19 0x7f05010fa06b in QTest::qRun() /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:2450
#20 0x7f05010f8d6d in QTest::qExec(QObject*, int, char**) /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:2328
#21 0x5566a2ecb892 in main /home/qt/work/qt/qtbase/tests/auto/corelib/thread/qfuture/tst_qfuture.cpp:5356
#22 0x7f04ff1a224c in __libc_start_main (/lib64/libc.so.6+0x3524c)
#23 0x5566a2e655c9 in _start ../sysdeps/x86_64/start.S:120
0x602000003550 is located 0 bytes inside of 16-byte region [0x602000003550,0x602000003560)
freed by thread T13 (QThread) here:
#0 0x7f0501339e45 in operator delete(void*, unsigned long) (/usr/lib64/libasan.so.5+0x10ce45)
#1 0x7f05005cd5e2 in QObjectContinuationWrapper::~QObjectContinuationWrapper() /home/qt/work/qt/qtbase/src/corelib/thread/qfutureinterface.cpp:47
#2 0x7f05000b5d1d in QObject::event(QEvent*) /home/qt/work/qt/qtbase/src/corelib/kernel/qobject.cpp:1433
#3 0x7f04fff8ad67 in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /home/qt/work/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1308
#4 0x7f04fff8a518 in doNotify /home/qt/work/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1235
#5 0x7f04fff8a3df in QCoreApplication::notify(QObject*, QEvent*) /home/qt/work/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1218
#6 0x7f04fff8a1f1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/qt/work/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1134
#7 0x7f04fff8b9b4 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/qt/work/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1575
#8 0x7f04fff8e33b in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/qt/work/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1932
#9 0x7f04fff8ce01 in QCoreApplication::sendPostedEvents(QObject*, int) /home/qt/work/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1789
#10 0x7f050096bea2 in postEventSourceDispatch /home/qt/work/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:244
#11 0x7f04fe47982a in g_main_context_dispatch (/usr/lib64/libglib-2.0.so.0+0x5582a)
previously allocated by thread T0 here:
#0 0x7f05013389bf in operator new(unsigned long) (/usr/lib64/libasan.so.5+0x10b9bf)
#1 0x7f05005b8c9e in QtPrivate::watchContinuationImpl(QObject const*, QtPrivate::QSlotObjectBase*, QFutureInterfaceBase&) /home/qt/work/qt/qtbase/src/corelib/thread/qfutureinterface.cpp:68
#2 0x5566a2f5b828 in watchContinuation<QtPrivate::Continuation<Function, ResultType, ParentResultType>::create(F&&, QFuture<ParentResultType>*, QFutureInterface<ResultType>&, QObject*) [with F = tst_QFuture::continuationsWithContext()::<lambda(int)>; Function = tst_QFuture::continuationsWithContext()::<lambda(int)>; ResultType = int; ParentResultType = int]::<lambda()> > /home/qt/work/install/include/QtCore/qfuture_impl.h:598
#3 0x5566a2f0c6ec in create<tst_QFuture::continuationsWithContext()::<lambda(int)> > /home/qt/work/install/include/QtCore/qfuture_impl.h:623
#4 0x5566a2ed985c in then<tst_QFuture::continuationsWithContext()::<lambda(int)> > /home/qt/work/install/include/QtCore/qfuture.h:360
#5 0x5566a2e99292 in tst_QFuture::continuationsWithContext() /home/qt/work/qt/qtbase/tests/auto/corelib/thread/qfuture/tst_qfuture.cpp:3315
#6 0x5566a2ed066a in tst_QFuture::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/qt/work/qt/qtbase_standalone_tests/tests/auto/corelib/thread/qfuture/tst_qfuture_autogen/include/tst_qfuture.moc:1005
#7 0x7f04fffd861f in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.cpp:2756
#8 0x7f04fffd62a4 in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.cpp:2595
#9 0x7f0501119ea0 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.h:148
#10 0x7f0501114e6d in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.h:160
#11 0x7f05010f2799 in QTest::TestMethods::invokeTestOnData(int) const /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:1166
#12 0x7f05010f4557 in QTest::TestMethods::invokeTest(int, QLatin1String, QTest::WatchDog*) const /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:1469
#13 0x7f05010f7580 in QTest::TestMethods::invokeTests(QObject*) const /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:1808
#14 0x7f05010fa06b in QTest::qRun() /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:2450
#15 0x7f05010f8d6d in QTest::qExec(QObject*, int, char**) /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:2328
#16 0x5566a2ecb892 in main /home/qt/work/qt/qtbase/tests/auto/corelib/thread/qfuture/tst_qfuture.cpp:5356
#17 0x7f04ff1a224c in __libc_start_main (/lib64/libc.so.6+0x3524c)
Thread T13 (QThread) created by T0 here:
#0 0x7f05012691d2 in pthread_create (/usr/lib64/libasan.so.5+0x3c1d2)
#1 0x7f050057583b in QThread::start(QThread::Priority) /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:723
#2 0x5566a2e98797 in tst_QFuture::continuationsWithContext() /home/qt/work/qt/qtbase/tests/auto/corelib/thread/qfuture/tst_qfuture.cpp:3253
#3 0x5566a2ed066a in tst_QFuture::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/qt/work/qt/qtbase_standalone_tests/tests/auto/corelib/thread/qfuture/tst_qfuture_autogen/include/tst_qfuture.moc:1005
#4 0x7f04fffd861f in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.cpp:2756
#5 0x7f04fffd62a4 in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.cpp:2595
#6 0x7f0501119ea0 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.h:148
#7 0x7f0501114e6d in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const /home/qt/work/qt/qtbase/src/corelib/kernel/qmetaobject.h:160
#8 0x7f05010f2799 in QTest::TestMethods::invokeTestOnData(int) const /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:1166
#9 0x7f05010f4557 in QTest::TestMethods::invokeTest(int, QLatin1String, QTest::WatchDog*) const /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:1469
#10 0x7f05010f7580 in QTest::TestMethods::invokeTests(QObject*) const /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:1808
#11 0x7f05010fa06b in QTest::qRun() /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:2450
#12 0x7f05010f8d6d in QTest::qExec(QObject*, int, char**) /home/qt/work/qt/qtbase/src/testlib/qtestcase.cpp:2328
#13 0x5566a2ecb892 in main /home/qt/work/qt/qtbase/tests/auto/corelib/thread/qfuture/tst_qfuture.cpp:5356
#14 0x7f04ff1a224c in __libc_start_main (/lib64/libc.so.6+0x3524c)
SUMMARY: AddressSanitizer: heap-use-after-free /home/qt/work/qt/qtbase/src/corelib/kernel/qobject.cpp:3880 in queued_activate
Shadow bytes around the buggy address: 0x0c047fff8650: fa fa fd fd fa fa fd fa fa fa 04 fa fa fa fd fd 0x0c047fff8660: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 01 fa 0x0c047fff8670: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd 0x0c047fff8680: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8690: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa =>0x0c047fff86a0: fa fa fd fd fa fa 00 00 fa fa[fd]fd fa fa 00 00 0x0c047fff86b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff86c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff86d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff86f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==20005==ABORTING