Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-122544

[gstreamer] use-after-free when switching camera

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • P1: Critical
    • None
    • 6.8
    • Multimedia
    • Linux/X11
    • Multimedia Wk7

    Description

      switching the camera in the reproducer for QTBUG-105062 gives me:

      ==301064==ERROR: AddressSanitizer: heap-use-after-free on address 0x50e000019dd0 at pc 0x7f700c859cd3 bp 0x7ffcd4805230 sp 0x7ffcd4805228
READ of size 4 at 0x50e000019dd0 thread T0
    #0 0x7f700c859cd2 in toPassTrackerUsageState(QGles2Texture::UsageState const&) /home/tim/dev/qt6-dev/qtbase/src/gui/rhi/qrhigles2.cpp:2850:25
    #1 0x7f700c83b488 in QRhiGles2::trackedRegisterTexture(QRhiPassResourceTracker*, QGles2Texture*, QRhiPassResourceTracker::TextureAccess, QRhiPassResourceTracker::TextureStage) /home/tim/dev/qt6-dev/qtbase/src/gui/rhi/qrhigles2.cpp:2871:60
    #2 0x7f700c83a0df in QRhiGles2::setShaderResources(QRhiCommandBuffer*, QRhiShaderResourceBindings*, int, std::pair<int, unsigned int> const*) /home/tim/dev/qt6-dev/qtbase/src/gui/rhi/qrhigles2.cpp:1716:21
    #3 0x7f700c14256f in QRhiCommandBuffer::setShaderResources(QRhiShaderResourceBindings*, int, std::pair<int, unsigned int> const*) /home/tim/dev/qt6-dev/qtbase/src/gui/rhi/qrhi.cpp:9330:12
    #4 0x7f70102bfb8e in QVideoWindowPrivate::render() /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideowindow.cpp:417:9
    #5 0x7f70102c06ce in QVideoWindow::event(QEvent*) /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideowindow.cpp:477:12
    #6 0x7f700ec31ff9 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3298:26
    #7 0x7f700ec3d5d6 in QApplication::notify(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3249:18
    #8 0x7f700aa70ecc in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1138:18
    #9 0x7f700aa74368 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1581:12
    #10 0x7f700bab7da0 in QPlatformWindow::deliverUpdateRequest() /home/tim/dev/qt6-dev/qtbase/src/gui/kernel/qplatformwindow.cpp:783:5
    #11 0x7f700bab3c68 in QPlatformWindow::windowEvent(QEvent*) /home/tim/dev/qt6-dev/qtbase/src/gui/kernel/qplatformwindow.cpp:454:13
    #12 0x7f7002640e5d in QXcbWindow::windowEvent(QEvent*) /home/tim/dev/qt6-dev/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:2392:29
    #13 0x7f7002640e90 in non-virtual thunk to QXcbWindow::windowEvent(QEvent*) /home/tim/dev/qt6-dev/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp
    #14 0x7f700b904c94 in QGuiApplicationPrivate::sendQWindowEventToQPlatformWindow(QWindow*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/gui/kernel/qguiapplication.cpp:2053:28
    #15 0x7f700ec36bd0 in QApplication::notify(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:2592:12
    #16 0x7f700aa70ecc in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1138:18
    #17 0x7f700aa74368 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1581:12
    #18 0x7f700a30e201 in QTimerInfoList::activateTimers() /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qtimerinfo_unix.cpp:436:13
    #19 0x7f7009d28697 in timerSourceDispatch(_GSource*, int (*)(void*), void*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:150:35
    #20 0x7f700b31bd3a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
    #21 0x7f700b371257  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xab257) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
    #22 0x7f700b3193e2 in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x533e2) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
    #23 0x7f7009cc9b90 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:394:19
    #24 0x7f7002577d7a in QXcbGlibEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/tim/dev/qt6-dev/qtbase/src/plugins/platforms/xcb/qxcbeventdispatcher.cpp:96:34
    #25 0x7f700aa86c93 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qeventloop.cpp:100:55
    #26 0x7f700aa7366e in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qeventloop.cpp:191:9
    #27 0x7f700aa72ea7 in QCoreApplication::exec() /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1482:32
    #28 0x7f700b9046a5 in QGuiApplication::exec() /home/tim/dev/qt6-dev/qtbase/src/gui/kernel/qguiapplication.cpp:1924:12
    #29 0x7f700ec35fe8 in QApplication::exec() /home/tim/dev/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:2568:12
    #30 0x5573039f8b05 in main /home/tim/dev/qt6-dev/qtmultimedia/examples/multimedia/QTBUG-105062/DiaWebCamScan/main.cpp:10:12
    #31 0x7f7009229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #32 0x7f7009229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #33 0x557303916ca4 in _start (/home/tim/build/build-qt6-dev-clang_17_qt_dev-Debug2/qtmultimedia/examples/multimedia/QTBUG-105062/qtbug-105062+0x35ca4) (BuildId: ccc47ddd5fafbe34a1f020f222f4161ba26e0855)

0x50e000019dd0 is located 144 bytes inside of 152-byte region [0x50e000019d40,0x50e000019dd8)
freed by thread T0 here:
    #0 0x5573039f031d in operator delete(void*) (/home/tim/build/build-qt6-dev-clang_17_qt_dev-Debug2/qtmultimedia/examples/multimedia/QTBUG-105062/qtbug-105062+0x10f31d) (BuildId: ccc47ddd5fafbe34a1f020f222f4161ba26e0855)
    #1 0x7f700c878911 in QGles2Texture::~QGles2Texture() /home/tim/dev/qt6-dev/qtbase/src/gui/rhi/qrhigles2.cpp:5289:1
    #2 0x7f701028f7d2 in std::default_delete<QRhiTexture>::operator()(QRhiTexture*) const /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:99:2
    #3 0x7f701028efab in std::unique_ptr<QRhiTexture, std::default_delete<QRhiTexture>>::~unique_ptr() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:404:4
    #4 0x7f701028f19c in std::array<std::unique_ptr<QRhiTexture, std::default_delete<QRhiTexture>>, 3ul>::~array() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/array:94:12
    #5 0x7f701028741e in QVideoTextureHelper::createTexturesFromMemory(QVideoFrame, QRhi*, QRhiResourceUpdateBatch*, QVideoFrameTextures*) /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideotexturehelper.cpp:726:1
    #6 0x7f7010286c27 in QVideoTextureHelper::createTextures(QVideoFrame&, QRhi*, QRhiResourceUpdateBatch*, std::unique_ptr<QVideoFrameTextures, std::default_delete<QVideoFrameTextures>>&&) /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideotexturehelper.cpp:740:12
    #7 0x7f70102bb4e3 in QVideoWindowPrivate::updateTextures(QRhiResourceUpdateBatch*) /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideowindow.cpp:216:23
    #8 0x7f70102bebaa in QVideoWindowPrivate::render() /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideowindow.cpp:375:9
    #9 0x7f70102c06ce in QVideoWindow::event(QEvent*) /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideowindow.cpp:477:12
    #10 0x7f700ec31ff9 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3298:26
    #11 0x7f700ec3d5d6 in QApplication::notify(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3249:18
    #12 0x7f700aa70ecc in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1138:18
    #13 0x7f700aa74368 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1581:12
    #14 0x7f700bab7da0 in QPlatformWindow::deliverUpdateRequest() /home/tim/dev/qt6-dev/qtbase/src/gui/kernel/qplatformwindow.cpp:783:5
    #15 0x7f700bab3c68 in QPlatformWindow::windowEvent(QEvent*) /home/tim/dev/qt6-dev/qtbase/src/gui/kernel/qplatformwindow.cpp:454:13
    #16 0x7f7002640e5d in QXcbWindow::windowEvent(QEvent*) /home/tim/dev/qt6-dev/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:2392:29
    #17 0x7f7002640e90 in non-virtual thunk to QXcbWindow::windowEvent(QEvent*) /home/tim/dev/qt6-dev/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp
    #18 0x7f700b904c94 in QGuiApplicationPrivate::sendQWindowEventToQPlatformWindow(QWindow*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/gui/kernel/qguiapplication.cpp:2053:28
    #19 0x7f700ec36bd0 in QApplication::notify(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:2592:12
    #20 0x7f700aa70ecc in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1138:18
    #21 0x7f700aa74368 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1581:12
    #22 0x7f700a30e201 in QTimerInfoList::activateTimers() /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qtimerinfo_unix.cpp:436:13
    #23 0x7f7009d28697 in timerSourceDispatch(_GSource*, int (*)(void*), void*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:150:35
    #24 0x7f700b31bd3a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)

previously allocated by thread T0 here:
    #0 0x5573039efabd in operator new(unsigned long) (/home/tim/build/build-qt6-dev-clang_17_qt_dev-Debug2/qtmultimedia/examples/multimedia/QTBUG-105062/qtbug-105062+0x10eabd) (BuildId: ccc47ddd5fafbe34a1f020f222f4161ba26e0855)
    #1 0x7f700c8392a8 in QRhiGles2::createTexture(QRhiTexture::Format, QSize const&, int, int, int, QFlags<QRhiTexture::Flag>) /home/tim/dev/qt6-dev/qtbase/src/gui/rhi/qrhigles2.cpp:1639:12
    #2 0x7f700c1454e6 in QRhi::newTexture(QRhiTexture::Format, QSize const&, int, QFlags<QRhiTexture::Flag>) /home/tim/dev/qt6-dev/qtbase/src/gui/rhi/qrhi.cpp:10358:15
    #3 0x7f701028cba8 in QVideoTextureHelper::updateTextureWithMap(QVideoFrame&, QRhi*, QRhiResourceUpdateBatch*, int, std::unique_ptr<QRhiTexture, std::default_delete<QRhiTexture>>&) /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideotexturehelper.cpp:598:24
    #4 0x7f7010287374 in QVideoTextureHelper::createTexturesFromMemory(QVideoFrame, QRhi*, QRhiResourceUpdateBatch*, QVideoFrameTextures*) /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideotexturehelper.cpp:720:15
    #5 0x7f7010286c27 in QVideoTextureHelper::createTextures(QVideoFrame&, QRhi*, QRhiResourceUpdateBatch*, std::unique_ptr<QVideoFrameTextures, std::default_delete<QVideoFrameTextures>>&&) /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideotexturehelper.cpp:740:12
    #6 0x7f70102bb4e3 in QVideoWindowPrivate::updateTextures(QRhiResourceUpdateBatch*) /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideowindow.cpp:216:23
    #7 0x7f70102bebaa in QVideoWindowPrivate::render() /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideowindow.cpp:375:9
    #8 0x7f70102c0822 in QVideoWindow::event(QEvent*) /home/tim/dev/qt6-dev/qtmultimedia/src/multimedia/video/qvideowindow.cpp:490:16
    #9 0x7f700ec31ff9 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3298:26
    #10 0x7f700ec3d5d6 in QApplication::notify(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/widgets/kernel/qapplication.cpp:3249:18
    #11 0x7f700aa70ecc in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1138:18
    #12 0x7f700aa74448 in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) /home/tim/dev/qt6-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1595:12
    #13 0x7f700b912b4f in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) /home/tim/dev/qt6-dev/qtbase/src/gui/kernel/qguiapplication.cpp:3295:5
    #14 0x7f700b905cf6 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) /home/tim/dev/qt6-dev/qtbase/src/gui/kernel/qguiapplication.cpp:2139:9
    #15 0x7f700bb5b32e in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/tim/dev/qt6-dev/qtbase/src/gui/kernel/qwindowsysteminterface.cpp:1114:13
    #16 0x7f7002577a32 in xcbSourceDispatch(_GSource*, int (*)(void*), void*) /home/tim/dev/qt6-dev/qtbase/src/plugins/platforms/xcb/qxcbeventdispatcher.cpp:57:5
    #17 0x7f700b31bd3a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)

SUMMARY: AddressSanitizer: heap-use-after-free /home/tim/dev/qt6-dev/qtbase/src/gui/rhi/qrhigles2.cpp:2850:25 in toPassTrackerUsageState(QGles2Texture::UsageState const&)

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-105062 QCamera - gstreamer - instable, not working, not streaming

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              timblechmann tim blechmann
              timblechmann tim blechmann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes