Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-124568

Texture.sourceItem heap-use-after-free error

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • P1: Critical
    • None
    • 6.7.0
    • Quick: 3D
    • None
    • macOS

    Description

      The attached sample is compiled with -fsanitize=address
      It displays an ApplicationWindow with a Quick3D Model textured with a Texture.sourceItem
      When the window is closed, address-sanitizer raises heap-use-after-free

      =================================================================
==64571==ERROR: AddressSanitizer: heap-use-after-free on address 0x00011a018290 at pc 0x000106532c38 bp 0x00016b48ec20 sp 0x00016b48e3d0
READ of size 8 at 0x00011a018290 thread T0
    #0 0x106532c34 in wrap_memcpy+0x3fc (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x1ac34)
    #1 0x1169809b8 in QArrayDataPointer<QSGDynamicTexture*>::reallocateAndGrow(QArrayData::GrowthPosition, long long, QArrayDataPointer<QSGDynamicTexture*>*) qarraydatapointer.h
    #2 0x1169807c0 in QList<QSGDynamicTexture*> QtPrivate::sequential_erase_if<QList<QSGDynamicTexture*>, auto QtPrivate::sequential_erase<QList<QSGDynamicTexture*>, QSGLayer*>(QList<QSGDynamicTexture*>&, QSGLayer* const&)::'lambda'(QSGLayer*)>(QSGLayer*, QSGLayer* const&) qcontainertools_impl.h:339
    #3 0x11697eb7c in QQuick3DTexture::~QQuick3DTexture() qquick3dtexture.cpp:113
    #4 0x1169974ec in QQmlPrivate::QQmlElement<QQuick3DTexture>::~QQmlElement() qqmlprivate.h:98
    #5 0x107153830 in QObjectPrivate::deleteChildren() qobject.cpp:2216
    #6 0x1071535d0 in QObject::~QObject() qobject.cpp:1168
    #7 0x116990df4 in QQmlPrivate::QQmlElement<QQuick3DDefaultMaterial>::~QQmlElement() qqmlprivate.h:98
    #8 0x107153830 in QObjectPrivate::deleteChildren() qobject.cpp:2216
    #9 0x1071535d0 in QObject::~QObject() qobject.cpp:1168
    #10 0x116993098 in QQmlPrivate::QQmlElement<QQuick3DModel>::~QQmlElement() qqmlprivate.h:98
    #11 0x107153830 in QObjectPrivate::deleteChildren() qobject.cpp:2216
    #12 0x1071535d0 in QObject::~QObject() qobject.cpp:1168
    #13 0x1170f8ad8 in QQuickItem::~QQuickItem() qquickitem.cpp:2427
    #14 0x1169979ec in QQmlPrivate::QQmlElement<QQuick3DViewport>::~QQmlElement() qqmlprivate.h:98
    #15 0x107153830 in QObjectPrivate::deleteChildren() qobject.cpp:2216
    #16 0x1071535d0 in QObject::~QObject() qobject.cpp:1168
    #17 0x105e6368c in QWindow::~QWindow() qwindow.cpp:203
    #18 0x11719f1a0 in QQuickWindow::~QQuickWindow() qquickwindow.cpp:1159
    #19 0x116d0b0c8 in QQmlPrivate::QQmlElement<QQuickApplicationWindow>::~QQmlElement() qqmlprivate.h:98
    #20 0x1058dc6cc in QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:305
    #21 0x104977e24 in main+0x298 (crash:arm64+0x100007e24)
    #22 0x19bbe20dc  (<unknown module>)

0x00011a018290 is located 16 bytes inside of 32-byte region [0x00011a018280,0x00011a0182a0)
freed by thread T0 here:
    #0 0x10656b260 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x53260)
    #1 0x11696f3e4 in QQuick3DSceneManager::~QQuick3DSceneManager() qquick3dscenemanager.cpp:37
    #2 0x11696f8a8 in QQuick3DSceneManager::~QQuick3DSceneManager() qquick3dscenemanager.cpp:33
    #3 0x1169713e4 in QQuick3DWindowAttachment::~QQuick3DWindowAttachment() qquick3dscenemanager.cpp:461
    #4 0x116971618 in QQuick3DWindowAttachment::~QQuick3DWindowAttachment() qquick3dscenemanager.cpp:458
    #5 0x116983d68 in QQuick3DViewport::~QQuick3DViewport() qquick3dviewport.cpp:293
    #6 0x1169979ec in QQmlPrivate::QQmlElement<QQuick3DViewport>::~QQmlElement() qqmlprivate.h:98
    #7 0x107153830 in QObjectPrivate::deleteChildren() qobject.cpp:2216
    #8 0x1071535d0 in QObject::~QObject() qobject.cpp:1168
    #9 0x105e6368c in QWindow::~QWindow() qwindow.cpp:203
    #10 0x11719f1a0 in QQuickWindow::~QQuickWindow() qquickwindow.cpp:1159
    #11 0x116d0b0c8 in QQmlPrivate::QQmlElement<QQuickApplicationWindow>::~QQmlElement() qqmlprivate.h:98
    #12 0x1058dc6cc in QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:305
    #13 0x104977e24 in main+0x298 (crash:arm64+0x100007e24)
    #14 0x19bbe20dc  (<unknown module>)

previously allocated by thread T5 here:
    #0 0x10656b124 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x53124)
    #1 0x10720be50 in QArrayData::allocate(QArrayData**, long long, long long, long long, QArrayData::AllocationOption) qarraydata.cpp:201
    #2 0x116980b04 in QArrayDataPointer<QSGDynamicTexture*>::allocateGrow(QArrayDataPointer<QSGDynamicTexture*> const&, long long, QArrayData::GrowthPosition) qarraydatapointer.h:479
    #3 0x11698097c in QArrayDataPointer<QSGDynamicTexture*>::reallocateAndGrow(QArrayData::GrowthPosition, long long, QArrayDataPointer<QSGDynamicTexture*>*) qarraydatapointer.h:228
    #4 0x11698105c in void QtPrivate::QPodArrayOps<QSGDynamicTexture*>::emplace<QSGDynamicTexture*&>(long long, QSGDynamicTexture*&) qarraydataops.h:176
    #5 0x1169812e0 in QtPrivate::QCallableObject<QQuick3DTexture::updateSpatialNode(QSSGRenderGraphObject*)::$_3, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) qobjectdefs_impl.h:555
    #6 0x10715bc98 in void doActivate<false>(QObject*, int, void**) qobject.cpp:4078
    #7 0x11719cdf4 in QQuickWindowPrivate::syncSceneGraph() qquickwindow.cpp:592
    #8 0x11733bcb8 in QSGRenderThread::sync(bool) qsgthreadedrenderloop.cpp:552
    #9 0x11733c130 in QSGRenderThread::syncAndRender() qsgthreadedrenderloop.cpp:715
    #10 0x11733d330 in QSGRenderThread::run() qsgthreadedrenderloop.cpp:974
    #11 0x107284744 in QThreadPrivate::start(void*) qthread_unix.cpp:285
    #12 0x19bf6af90 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64e+0x6f90)
    #13 0x19bf65d30 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1d30)

Thread T5 created by T0 here:
    #0 0x106563d6c in wrap_pthread_create+0x54 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x4bd6c)
    #1 0x107284eec in QThread::start(QThread::Priority) qthread_unix.cpp:723
    #2 0x11733ee34 in QSGThreadedRenderLoop::handleExposure(QQuickWindow*) qsgthreadedrenderloop.cpp:1328
    #3 0x11733e9ac in QSGThreadedRenderLoop::exposureChanged(QQuickWindow*) qsgthreadedrenderloop.cpp:1247
    #4 0x105e6991c in QWindow::event(QEvent*) qwindow.cpp
    #5 0x1171a02f0 in QQuickWindow::event(QEvent*) qquickwindow.cpp:1621
    #6 0x1171ae6d4 in QQuickWindowQmlImpl::event(QEvent*) qquickwindowmodule.cpp:132
    #7 0x107110ea4 in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) qcoreapplication.cpp:1308
    #8 0x107110a2c in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:1134
    #9 0x105e16fd0 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) qguiapplication.cpp:3298
    #10 0x105e76410 in bool QWindowSystemHelper<QWindowSystemInterface::SynchronousDelivery>::handleEvent<QWindowSystemInterfacePrivate::ExposeEvent, QWindow*, QRegion>(QWindow*, QRegion) qwindowsysteminterface.cpp:105
    #11 0x105e7234c in bool QWindowSystemInterface::handleExposeEvent<QWindowSystemInterface::SynchronousDelivery>(QWindow*, QRegion const&) qwindowsysteminterface.cpp:337
    #12 0x104cc1280 in QCocoaWindow::handleExposeEvent(QRegion const&) qcocoawindow.mm:1466
    #13 0x104cd64a4 in -[QNSView(Drawing) displayLayer:] qnsview_drawing.mm:226
    #14 0x1a42543c4 in -[CALayer display]+0xcc (QuartzCore:arm64e+0x203c4)
    #15 0x1a4253bd0 in CA::Layer::display_if_needed(CA::Transaction*)+0x2e4 (QuartzCore:arm64e+0x1fbd0)
    #16 0x1a43d8460 in CA::Context::commit_transaction(CA::Transaction*, double, double*)+0x1fc (QuartzCore:arm64e+0x1a4460)
    #17 0x1a4236614 in CA::Transaction::commit()+0x284 (QuartzCore:arm64e+0x2614)
    #18 0x19f9c8668 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke+0x10c (AppKit:arm64e+0x162668)
    #19 0x1a0385e10 in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x3c (AppKit:arm64e+0xb1fe10)
    #20 0x19c049250 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x20 (CoreFoundation:arm64e+0x7d250)
    #21 0x19c04913c in __CFRunLoopDoObservers+0x214 (CoreFoundation:arm64e+0x7d13c)
    #22 0x19c048768 in __CFRunLoopRun+0x304 (CoreFoundation:arm64e+0x7c768)
    #23 0x19c047e08 in CFRunLoopRunSpecific+0x25c (CoreFoundation:arm64e+0x7be08)
    #24 0x1a67e2ffc in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x32ffc)
    #25 0x1a67e2c8c in ReceiveNextEventCommon+0xd8 (HIToolbox:arm64e+0x32c8c)
    #26 0x1a67e2b90 in _BlockUntilNextEventMatchingListInModeWithFilter+0x48 (HIToolbox:arm64e+0x32b90)
    #27 0x19f8a096c in _DPSNextEvent+0x290 (AppKit:arm64e+0x3a96c)
    #28 0x1a0092de8 in -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x2b8 (AppKit:arm64e+0x82cde8)
    #29 0x19f893cb4 in -[NSApplication run]+0x1d8 (AppKit:arm64e+0x2dcb4)
    #30 0x104c9629c in QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) qcocoaeventdispatcher.mm:406
    #31 0x10711a588 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) qeventloop.cpp:182
    #32 0x107111080 in QCoreApplication::exec() qcoreapplication.cpp:1478
    #33 0x104977e0c in main+0x280 (crash:arm64+0x100007e0c)
    #34 0x19bbe20dc  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x1ac34) in wrap_memcpy+0x3fc
Shadow bytes around the buggy address:
  0x00011a018000: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x00011a018080: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x00011a018100: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x00011a018180: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x00011a018200: fd fd fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
=>0x00011a018280: fd fd[fd]fd fa fa 00 00 00 00 fa fa 00 00 00 04
  0x00011a018300: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x00011a018380: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x00011a018400: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x00011a018480: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x00011a018500: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==64571==ABORTING

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-122052 View3D as sourceItem of texture in XR not working

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              stromme Christian
              rectalogic Andrew Wason
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes